Malvertising Campaign Used a Free Certificate From Let's Encrypt (csoonline.com) 123
itwbennett writes: On Wednesday, Trend Micro wrote that it discovered a cyberattack on Dec. 21 that was designed to install banking malware on computers. The cybercriminals had compromised a legitimate website and set up a subdomain that led to a server under their control, wrote Joseph Chen, a fraud researcher with Trend. The subdomain used an SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificate issued by Let's Encrypt, the first large-scale project to issue free digital certificates. which is run by the ISRG (Internet Security Research Group) and is backed by Mozilla, the Electronic Frontier Foundation, Cisco, and Akamai, among others. The incident has sparked disagreement over how to deal with such abuse, writes Jeremy Kirk.
Why the emphasis on Lets Encrypt? (Score:5, Insightful)
This style of attack would have been able to get an SSL cert from most cheap cert providers, as most of the cheap ones only require you to dump a particular file in the right place on the website for verification, so why the emphasis on "Lets Encrypt"? Because they are "cheaper than cheap"?
Re:Why the emphasis on Lets Encrypt? (Score:5, Informative)
.
Unlike most other CA's, Let's Encrypt has a very short lifetime on their certs (60 days, I believe) so that an abused cert quickly falls out of the eco-system. I've read that Let's Encrypt eventually wants to shorten that lifetime even more, to 30 days.
Most other CAs have cert lifetimes of a year (or longer). Then the question surfaces - how useful is cert revocation? Do all TLS clients check for cert revocation?
Re: (Score:3, Informative)
The lifetime at launch is actually 90 days (https://letsencrypt.org/2015/11/09/why-90-days.html)
The rest is correct.
Re: (Score:2)
Re:Why the emphasis on Lets Encrypt? (Score:5, Informative)
Most SSL/TLS clients do not check for a relevant CRL. The few that do (such as Firefox and other web browsers) typically require configuration and won't check for revocation by default out of the box.
In contrast, nearly all SSL/TLS clients that I am aware of (certain MTAs being an exception) will refuse to use an expired certificate unless specifically instructed to do so by the end user. So expiration is more likely to have an effect than revocation.
Re: (Score:2, Informative)
CRL's are of limited usefulness anyway. There is no guarantee that the attackee will be able to contact the CRL site and everyone defaults to trusting the revoked cert in this case.
Posted AC to preserve mods
Re: (Score:2)
Most SSL/TLS clients do not check for a relevant CRL.
And that's the important point in this case, revocation doesn't work so why bother? Other CAs go through the pretense (well, if enough pressure is put on them, typically via public shaming, mostly they ignore misuse of certs), while Lets Encrypt has made a sensible policy decision not to bother.
A more amusing issue is the current discussion on one of the Mozilla lists about what to do about Kazakhstan's request to get their MITM CA cert included in the browser's list of trusted CAs.
Re: (Score:2)
30 days, 60 days, 90 days, whatever. The average life span of a trojan before it gets detected even by MS Defender is 3 days, tops.
Re: (Score:3)
They HAVE automated revoking of certs. The revoking happens by the owner of the cert though (in this case, the attacker). How would you automate the process of revoking otherwise, especially in a way that doesn't cause false positives which would render websites unreachable by clients?
Re: (Score:2)
Re: (Score:2)
It used to be, one had to prove being "a legitimate business" to obtain an SSL certificate. But you are right, that proliferation of cheap — and therefore not caring — CAs has devalued it.
Yes. As long as some kind of payment is required, it is usually possible to identify the buyer. This possibility itself is a deterrent...
I am all for the ability to remain anonymous,
Re: (Score:3)
...Yes. As long as some kind of payment is required, it is usually possible to identify the buyer. This possibility itself is a deterrent... ...
Bitcoin has changed that aspect of the algorithm.
Additionally, more traditional pay methods have become so automated and inexpensive to use that it is quite easy to change payment methods on a frequent basis, effectively making tracing worthwhile only for the most egregious offenses.
Re: (Score:2)
It used to be, one had to prove being "a legitimate business" to obtain an SSL certificate.
True, TLS certificates were originally supposed to be organization-validated. But in the original model, how was the hobbyist operator of a web site supposed to protect passwords of the site's users from eavesdropping?
Re: (Score:3, Informative)
The original model was meant to facilitate online commerce. Netscape invented SSL and was pushing it despite the opposition from IPsec proponents — because SSL-certificates were to provide assurance, that the remote end is a legitimate business. One may argue, the encryption aspect was secondary.
If it is only a small part of data, that actually needs encryption
NoScript, MITM of the crypto script, and Firesheep (Score:4, Informative)
If it is only a small part of data, that actually needs encryption — the password and the credit card number — you can do that (using the well-known and studied protocols) in JavaScript.
What you describe is similar to what Tloz proposes in the question "How to replace SSL/TLS? [stackexchange.com]". But using client-side script to encrypt passwords has three drawbacks:
Re:Why the emphasis on Lets Encrypt? (Score:5, Informative)
If it is only a small part of data, that actually needs encryption â" the password and the credit card number â" you can do that (using the well-known and studied protocols) in JavaScript.
No you can't do that, no stop right right WRONG.
The JavaScript itself must be delivered on a authenticated encrypted channel because if it isn't how will my browser know its not supposed to run that XMLHttpRequest call to post a second plan text copy of that info to evil-hacker.com after you main in the middle my amazon session in the coffee shop.
Same goes with forms that are delivered over http but post https, this wrong and dangerous for the same reason. You can do authentication and encryption in the application layer if its a fat client and the client already has a static copy of trusted code form elsewhere but in the case of web site where the 'application' is being downloaded from the server the client needs a way authenticate and ensure transport integrity while obtaining the application itself otherwise its game over, your pwnd before you begin. The network layer is the correct place.
Re: (Score:2)
Yes, but this download can arrive from an SSL-using server run by a company big enough to actually have its certificate application properly validated. Think jquery.js.
The question was not, whether SSL is needed at all, but how can a small operator secure logins without going through the extensive and expensive validation originally envisioned for SSL-certificates.
Re: (Score:2)
No that does not solve the problem. Because if I am getting the main page over http, and I am the victim of an MITIM attack than the attacker can alter the page to source jquery.js from a site they control. Without or without SSL itself.
Actually what you describe is worse! Unlike the more general situation where the attacker needs somehow needs to modify page content he does not probably know about ahead of time (assuming he just wants to get any access to my stuff not just a specific site) he got to do
Re: (Score:1)
Well, you just described, why the whole ssh thing — which you download from somewhere to then run — is not secure... Is it?
I suppose, you trust the source of the ssh-distribution — you'd need a similar trust in the source of my hypothetical JS-library.
ssh does not give you that either — not on the first connection. Unless the remote's fingerprint is published in a (secure) DNS. Khmm, maybe, that'd be the altern
Re: Why the emphasis on Lets Encrypt? (Score:2)
Re: (Score:3)
If it is only a small part of data, that actually needs encryption — the password and the credit card number — you can do that (using the well-known and studied protocols) in JavaScript.
If... I personally would like to have everything encrypted, such as what I read on Slashdot or on Wikipedia.
Re: (Score:2)
IPSec was supposed to do that. But appearance of SSL nipped IPSec' spread in the bud. And the revanche attempts by IPv6 [infosecisland.com] are so far faltering.
Re: (Score:1)
Re: (Score:3)
"CAs has devalued it"
The values have shifted, not become less. The value used to be in verification of business. Now, partly thanks to the NSA, the value is more in encrypting all possible web traffic. There are enough major organizations that all collectively agree that encryption is more valuable than the bottom line at this point that Let's Encrypt can give out certs for free.
Re: (Score:1)
The certificate in question was used to distribute banking malware. I doubt its creators would have any qualms with using a stolen payment method.
Re: (Score:2)
Re: (Score:1)
Perhaps it's because Trend Micro sells certs...
Re: (Score:2)
Or maybe they sell web security software that relies on unencrypted HTTP connections to detect malware.
Re: (Score:1)
Primarily because the for-profit CAs would simply revoke a certificate that was issued fraudulently. From the Trend Micro blog:
I don't really follow Lets Encrypt's logic here of why they won't revoke the certificate. It seems their only argument is that "there's other ways to deal with the problem". Which is true, but I don't see why taking multiple approaches isn't a good idea.
If the certificate had been
Re: (Score:2, Informative)
The cert wasn't issued fraudulently. The domain validation is totally legit seeing as the attackers had control of the domain.
Re: (Score:1)
" so why the emphasis on "Lets Encrypt?"
Cheap shot at a competitor, nothing more.
Re: (Score:2)
The certificates from Lets Encrypt (and other commonly used cheap providers) are "domain validated", which is the lowest rung of site certificate. These are perfectly okay for everyday use on Internet sites that don't process highly sensitive data.
The best consumers can do is demand extended validation certificates for their banking sites, and each time you connect to your bank's site verify you are using an EV certificate.
Re: (Score:2)
The emphasis on Lets Encrypt is likely because that way Trend Micro will get more visibility for "the new thing is bad". Trying to say "the old thing is bad" mostly causes yawns though it is a known problem.
So simply: marketing.
Re: (Score:2)
Or this style of attack could be performed by using an SSL cert that was already present on the hacked server...
Re: (Score:1)
Re: (Score:2)
Yeah, Linux is such a piece of dung...
Inevitable (Score:4, Interesting)
I think that one way to deal with this would be in the browser.
Currently, EV certs will turn the address bar green or have some other indication above and beyond the normal "lock" icon.
Perhaps we need to have a different color or indication for each kind of cert.
Also, perhaps have a warning in the browser if the last known certificate is from a different CA and/or has a different validation level from the certificate currently being presented by the same domain.
Other than that, I am not sure what could be done on the server side of things. The system is meant to be free and open... which, by definition, means it is going to be abused.
Re: (Score:2)
Given the number of users who can be fooled into thinking a site is "secure" just by having an image of a key appearing somewhere on the page (not the browser chrome, but actually in the HTML of the site), what's the point of adding more chrome?
I doubt most users are capable of understanding the concept of chain of trust nor levels of verification behind different certificates. I'm positive that capabilities aside, the vast majority don't want to learn the difference and willfully avoid learning.
Re: (Score:2)
I just don't buy into this 100%
I think that if you take the time to explain the importance of something and relate it to something they care about (like not getting their important files held ransom, for example) they will listen. It is just about making it easy to understand.
Now, I have personally met users who are willfully ignorant. I think they are the minority though.
Re: (Score:2)
I just don't buy into this 100%
I think that if you take the time to explain the importance of something and relate it to something they care about (like not getting their important files held ransom, for example) they will listen. It is just about making it easy to understand.
Now, I have personally met users who are willfully ignorant. I think they are the minority though.
Well, last time I checked Failbook still has a lot of losers. So, no, you may explain until you turn blue, if the user wants the cute cat picture, the user will get it, no matter what.
Re: (Score:2)
Ok, you are right. abuse is not the definition of "free and open".
What I meant to say was that free and open systems tend to be abused. Think public restrooms...
Re: Inevitable (Score:2)
Are you the same guy who invented the five-color terror alert scale and no one knows what the different colors mean?
We have a puce alert in the browser bar!
Re: (Score:2)
How would you suggest breaking down the different types of certificates to assign them a security level? By the price of the certificate? By the rigour of the verification?
Technically there's no difference between a $0 Lets Encrypt cert, a $5 SSLs.com cert or a $250 Symantec cert - they are all basic SSL certificates and all use similar methods for domain verification (either put a named file in the root of your website, add a particular DNS entry to your domain or reply to email sent to webmaster@ postmast
Re: (Score:2)
The UI is wrong. Secure should be the default, what we want is to indicate insecurity. Normal HTTPS connections should be white, and unencrypted HTTP red. Reserve green for enhanced certs.
Neither Google, Facebook, nor Amazon is EV (Score:2)
The certificates for www.google.com, facebook.com, and www.amazon.com aren't EV either.
In theory, certificates of full-time for-profit companies ought to be at least organization-validated. But apart from Comodo Dragon, most browsers don't do much to distinguish a domain-validated certificate from an organization-validated one.
Re: (Score:2)
It's not even the cost aspect, a criminal gang is unlikely to think twice about paying for a certificate fraudulently (e.g. with stolen card details).
Great Response (Score:5, Informative)
This article looks like a really good response to the issue: https://unmitigatedrisk.com/?p=552
Re: (Score:1)
The problem here seems to be that people are assuming that a certificate means more than it actually does. The certificate certifies the identity of the site and gives no information about the contents or reliability of the site.
Meanwhile, as everyone is busy debating the pro and con of certificates, the bigger issue is ignored:
"The cybercriminals had compromised a legitimate website and set up a subdomain that led to a server under their control"
As long as there are "legitimate" websites who don't give two shits about security, certificates are meaningless.
Re: (Score:2)
The problem is that for the longest time we've told people to look for that all-powerful HTTPS encryption with the green icon next to it saying that it's really what it claims to be.
Can't really shift the blame on that one.
Why we cannot have nice things.. (Score:5, Interesting)
The ad brokers do not care that bad ads slipped in as they make money on any, so they have zero incentive to remove malvertising other than a cursory effort to appease the lawyers and government.
This is why I install adblocks on all customer machines now (and we process a large amount). To an end user advertising of of limited utility, and comes with at minimum high annoyance and at worst malware/fraud/id theft.
Case in point, I was trying to find news information on a police standoff near my house, and one of the official local news stations ads were targeting nexus 6 with a scam 'free iPad' redirect. This only occurred on my Nexus 6, not a PC or LG phone. This is just normal day to day browsing, and I could not even read the news.
The state of affairs when it comes to online advertising and scams is very bad and will kill the industry very soon if changes are not made. Unfortunately it will likely bring down many good sites for real content with it.
Re: (Score:2)
The only reason a CA would revoke a cert on it's own is if it were assigned to someone who didn't have the rights to request it. Eg. if they sign a cert for google.com to someone who doesn't control google.com at the time of signing.
This is different, these criminals had control over a subdomain and used it to forward it to their own domain which was in turn encrypted with SSL. The criminals had control over their domain and used an SSL certificate on their domain. The idiots at the bank or whatever allowed
Re: (Score:3)
To be approved for inclusion in pretty much any reputable application, a CA has to conform to the requirements laid out by the CA/Browser forum; see https://cabforum.org/wp-conten... [cabforum.org] -- you'll note that Section 9.6.3, bullet 5 requires the ability for the domain holder to request revocation. Let's Encrypt conforms to these requirements. While ACME requires specific authentication material to perform automatic revocation, there's a manual process in place.
From https://letsencrypt.org/reposi... [letsencrypt.org] : "To report p
Re: (Score:2)
"CAs cannot respond fast enough and likely do not have enough information to vet requests for new certificates fully."
They used to. The problem is not that they can't, the problem is that they learned that the end user neither understands nor cares for proper verification, so why they should pay care when that means less business and higher costs?
Re: (Score:2)
Any sane ad-broker has a very good reason to care about malvertising and to put a lot of resource into filtering it out - and you identify it in your own post.
The rise in malvertising is serving as a huge driver for the use of adblockers. Moreover, while early adoption of adblockers was mostly by well-informed home and small-business users, the rise of malvertising means that major corporate and Government networks are increasingly switching to adblock-by-default. Which in turn means that a lot of less-info
Re: (Score:2)
...The state of affairs when it comes to online advertising and scams is very bad and will kill the industry very soon if changes are not made. ...
Exactly correct.
.
The whole online advertising technical model is little more than an unfettered and insecure conduit deep into the personal ecosystem of people on the Internet.
The system was developed and is run by people who are more concerned about the number of hits an ad gets than about the security of the person's device into which they have intruded.
Java JRE has had a cert for years (Score:1)
The Java browser plugin infected millions, loaded bloatware, and generally has been a nuisance for years.
It eventually was blacklisted [infoworld.com] from [skillsoft.com] browsers [mozilla.org].
Let's not pretend SSL certs were supposed to do things they're not. You can be certain no one is imitating the malware site. And that's all a SSL cert means.
Malvertising is a trivially solvable problem (Score:2, Insightful)
Why the hell do ads need to be able to run arbitrary 3rd party scripts? Give them an image, some text, etc. and they stick it in their ad format. There's no reason to let random people on the internet inject scripts from totallynotmalwarenoreally.ru into ads on the New York Times' site.
Does an advertiser trust a publisher's stats? (Score:2)
But for some reason, the interwebs is somehow different
It is different. On the web, unlike in print, advertisers demand accurate view counts and accurate click counts. A web publisher that hosts advertisers' ads on its own site has an incentive to fraudulently inflate these. An ad network, on the other hand, is theoretically a neutral party and competing with other ad networks to offer analytics that are no less accurate than those of other ad networks. So how likely is an advertiser to trust reach statistics provided by a publisher compared to those provided b
There is no such standardized ad format yet (Score:2)
Why the hell do ads need to be able to run arbitrary 3rd party scripts? Give them an image, some text, etc. and they stick it in their ad format.
Because only scripts can animate "an image" and "some text" on a <canvas> element. Ideally, the advertiser would author the animation and export a set of data that represents keyframes, and a publicly auditable script hosted by the ad network would use this data to present the animation. But to my knowledge, there is as of yet no such standardized format to represent canvas animations.
Re: (Score:2)
Animated GIF does not compensate for motion (Score:2)
Good old-fashioned gifs can animate without use of a script.
Each frame of an animated GIF has to include all pixels that have changed since the last frame. They can't compensate for motion, which means text fading in or sliding in from the side will bloat the file larger than a script+keyframes approach would. And with ad networks recognizing the realities of a pay-per-bit market for Internet access, advertisers will prefer a format that fits a more attractive ad into the same file size.
Half-donkeyed auditing (Score:2)
I didn't even go so far as to say no scripts, I said 3rd party scripts.
I misunderstood your post. Others have used the term "third-party scripts" to include any script not on the same domain as the page itself, such as the script for serving ads itself.
You can make all the stupid animated punch the duck ads you want, and give the script to the ad network to audit and host.
A third-party script hosted by the ad network is unlikely to get audited well unless it's used by a substantial number of different advertisers. That's what I meant by a "standardized format to represent canvas animations": an ad network could afford to put effort into auditing a script that plays such a format.
Why does it need to be hosted on an unknown 3rd party domain, subject to being replaced at a whim with exploit code?
The exploit code
Let's Encrypt is only for encryption (Score:2, Informative)
As a user, seeing a website using a Let's Encrypt or StartSSL certificate does not tell me anything about the legitimacy of that website. All it does is guarantee that my connection won't be intercepted through a MITM attack. Personally, I never "just trust" the little lock icon in my address bar: I click it and see who signed it. Then I make a decis
Re: (Score:2)
FUD.
Free certs technically are exactly the same as every other cert. What you probably mean is to choose a higher validation than DV. That's the only reason you should pay someone money. But that has nothing to do with which devices accept your cert. That is a matter of server config and how you configure your TLS algorithms.
Comodo Dragon warning for DV certs (Score:2)
Devices running the Comodo Dragon browser visibly distinguish [comodo.com] DV from OV certificates. I don't know if it still does, but it at least used to present an interstitial page for DV certificates [netcraft.com] that resembles other browsers' interstitial for an unknown CA.
Re: (Score:2)
I never "just trust" the little lock icon in my address bar: I click it and see who signed it.
That's one of the reasons I use TLSA on my website. It provides another check to the validity of my cert for those people who bother to validate it via TLSA/DANE.
Re: (Score:3)
Re: (Score:2)
99.99% is too generous a number. Stretch out those 9s a bit more
If non-EV means unsafe, not much is safe (Score:2)
Green bar is safe, the rest is not.
By that metric, Google, Facebook, Amazon, SourceForge, and GNU are unsafe because they're not EV. (I just checked.) Twitter, GitHub, Mozilla, and Outlook/Hotmail are safe though. eBay has a green bar on those few pages it does serve with HTTPS, but it's unsafe because many pages redirect from HTTPS to HTTP.
But can a site run as a hobby, as opposed to a full-time business, be made "safe"?
Applies to All Non-EV Certificates (Score:5, Informative)
If they were able to create a subdomain, that means the attackers controlled all traffic to that subdomain.
Since most certificate authorities only verify via email to the domain for which the certificate is requested, the attackers would have gotten a certificate from virtually any CA.
There are additional verification steps required for EV certificates that should thwart this sort of attack, but singling out Let's Encrypt for issuing a certificate in this case is disingenuous.
The real problem lies with the DNS registrar that accepted an unauthorized subdomain registration request. (Or maybe the client's account was compromised, in which case the victim is to blame.)
Either way, the submission titles makes it seem this is a problem with Let's Encrypt when it most certainly is not.
Re: Applies to All Non-EV Certificates (Score:1)
Re: (Score:2)
CERTs are to ensure I'm talking to the domain I believe I am and that said communication is protected from other parties. Whether or not talking to that domain in the first place is a good idea is out of scope.
Re: (Score:2)
Whether or not talking to that domain in the first place is a good idea is out of scope.
Detractors of domain-validated certificates disagree with this statement on grounds that most non-technical users won't notice the typo in "BankOfArnerica.com".
Re: (Score:1)
I don't think you understand how domains or DNS works... you don't register a sub-domain. You create a sub-domain via an NS record in DNS. That's it. No registration required.
Agree with Lets Encrypt (Score:2)
Fighting hacking/spam is the duty of police enforcement according to local law not CA's and technical companies. What next, a CA base in China or Russia refusing to grant "gays" certs for their sites as immoral? There is no line, everything is over the line, a CA should exercise zero discretion with re
Re: (Score:2)
That is easily solved by the person who owns mysite.com creating individual certs for those sub-domains but the authority to do so should be delegated to them not require additional sips from the CA trough and really that should happen along with registration of the domain and expire along with the domain registration. Your root NS entries point from the TLD to your authoritative NS, if you control those you control the domai
Changes won't fix the problem, but still good idea (Score:2)
Firstly, the attackers here had enough control to alter the site's DNS data. If they've got that much control, likely they also have access to the SSL private keys for the site. Even if they don't, they've enough control that they can do anything they want anyway by using subdirectories on existing servers. So, any changes Let's Encrypt might make still won't protect against this attack. SSL server certificates insure you're talking to the host you think you're talking to, they say nothing about whether tha
Re: (Score:3)
They already do confirm you have control over the domain. The only difference is that it's (as good as) fully automated through the ACME protocol. You can verify it by hosting a website on that domain, you can verify it by sending an e-mail to the domain. Any other CA (even VeriSign) does the same thing unless it's StartSSL or an EV domain for which you have to actually submit paperwork that you are the business owner.
Re: (Score:2)
StartSSL does domain verification by sending e-mail to an administrative address (pulled from WHOIS data) (for their Class 1 certificates anyway).
Re: (Score:2)
The 'free' SSL certificates, yes, but I don't think you can use them for business. Their 'verified' SSL certificates require paperwork.
Re: (Score:2)
Lets encrypt does the checks for control of domain like the other certificate authorities.
And really people should use DNS Certification Authority Authorization(RFC 6844) to only allow the certificate authorities they want to use. Though I am not sure if all certificate authorities follow it yet, but at least most do so it is risk mitigation.
It's an education issue. (Score:2)
There's a difference between privacy and trust, but browsers don't make that clear to the user in a consistent or even useful matter. That said, nothing will ever completely fix a layer 0 issue except education.
Why not just teach your people (Score:2)
DNS (Score:4, Insightful)
This is just ridiculous. The problem here is that the attacker was able to create a new DNS sub-domain. The Let's Encrypt angle is just a red herring from a company (Trend Micro) that wants to make money selling SSL certificates.
Simple solution (Score:2)